In 2018, the Department of Defense began following a new philosophy for cyber operations to better protect U.S. networks and infrastructure.
Known as “defend forward,” the approach allows U.S. cyber forces to be active in foreign network outside the United States to either act against adversaries or warn allies of impending cyber activity that they’ve observed on foreign networks.
This is the story of how, in two short years, a new cybersecurity strategy has forced the national security community to rethink cyber operations and how "persistent engagment" will work.
After the U.S. military killed an Iranian general in a Jan. 2 drone strike and after national security experts said they expect Iran might take some retaliatory action through cyber operations, the specter of increased cyber attacks against U.S. networks puts Cyber Command and its new approach front and center.
“This Iran situation today is a big test of the ‘defend forward’ approach of this administration,” James Miller, senior fellow at Johns Hopkins Applied Physics Laboratory and former undersecretary of defense for policy, said at a Jan. 7 event hosted by the Council on Foreign Relations. “Will [Cyber Command] take preventative action? Will they do it in a way that our allies and partners support and that can be explained to the public?”
While Iran fired several missiles Jan. 7 at a base in Iraq where U.S. troops lived as an initial response to the drone strike, many national security experts expect Iran could continue cyber actions as further retaliation for the strike. Iran could also ratchet up its cyber operations in the United States following the collapse of portions of the 2015 nuclear deal between the United States, Iran and five other nations to curb Iran’s nuclear weapons capability in return for sanctions relief.
Over the past 12 months, the White House and Congress streamlined many of the authorities used to conduct cyber operations to help cyber forces to get ahead of threats in networks around the world. One such provision in last year’s annual defense policy bill provides the Pentagon with the authority to act in foreign networks if Iran, among other named nations, is conducting active, systematic and ongoing campaigns of attacks against the U.S. government or people.
Cyber Command declined to comment on what, if anything, they were doing differently since the drone strike.
Some experts, however, have expressed caution when assessing how well this defend forward approach has worked thus far given it is still relatively new.
“The jury is very much still out here,” Ben Buchanan, assistant professor and senor faculty fellow at Georgetown University, said at the same event. “We don’t have a lot of data, there’s been a lot of hand-wringing … about these authorities and about how Cyber Command may or may not be using them. I just don’t think we’ve seen enough to judge whether or not … [it is] meaningfully changing adversary behavior.”
Industry representatives in the threat intelligence space said it is too early to tell if Cyber Command's new assertive approach is having a direct effect on cyberspace.
Others have also expressed reservations about how effective Iran can even be in cyberspace toward U.S. networks.
“Iran is a capable cyber actor, Iran is a wiling cyber actor. That means Iran will conduct cyberattacks,” said Jacquelyn Schneider, Hoover fellow at the Hoover Institution at Stanford University. “It’s not like they have this capability and they’ve been deterred in the past and maybe now they’re going to turn it on. I think they’ve been trying this entire time.”
Complicating matters further could be other actors trying to take advantage of U.S.-Iran imbroglio for their own interests.
Priscilla Moriuchi, senior principal researcher and head of nation-state research at threat intelligence firm Recorded Future, said over the past several months, there have been reports of Russian state-affiliated actors hijacking Iranian cyber infrastructure to conduct operations masquerading as Iranians.
“That creates its own uncertainty,” she said at the same event. “Another level of potential what we call inadvertent escalation if a country perceives that they are attacked by Iran but in reality, it” wasn’t.